Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Purpose

The purpose of this document is to describe how to import a HIAB image on AWS environment.

Prerequisites


Download HIAB Image from Outscan

To download the HIAB image, go to Downloads on Portal and click on the AWS image . 

Note

To start testing the HIAB in your environment you need a minimum of 40 GB to handle targets, findings, logs and reports. When going fully into production we do however recommend 60 GB. During it's life time the disc size may need to be extended as workload increases, and it is recommended to start monitoring disk space from the beginning to avoid future problems.

Also, a minimum of 350 MB of free space are required when updating the HIAB.


Upload HIAB Image to AWS S3

  1. Create a non public S3 bucket.



  2. Upload the HIAB image file on AWS.






Import HIAB Image from AWS S3

Follow the below procedure to import the image from AWS S3.

Create a service role

  1. Create a file named trust-policy.json on your computer. Add the following policy to the file:

    {
       "Version": "2012-10-17",
       "Statement": [
          {
             "Effect": "Allow",
             "Action": "sts:AssumeRole",
             "Principal": { "Service": "vmie.amazonaws.com" },
             "Condition": {
                "StringEquals":{
                   "sts:Externalid": "vmimport"
                }
             }
          }
       ]
    }
    XML
  2. Use the create-role command to create a role named vmimport and grant VM Import/Export access to it. Ensure that you specify the full path to the location of the trust-policy.json file that you created in the previous step.

    aws iam create-role --role-name vmimport --assume-role-policy-document "file://C:\import\trust-policy.json"
    BASH
  3. Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket for disk images and export-bucket is the bucket for exported images:

    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Effect": "Allow",
             "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket" 
             ],
             "Resource": [
                "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>",
                "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>/*"
             ]
          },
          {
             "Effect": "Allow",
             "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetBucketAcl"
             ],
             "Resource": [
                "arn:aws:s3:::export-bucket",
                "arn:aws:s3:::export-bucket/*"
             ]
          },
          {
             "Effect": "Allow",
             "Action": [
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
             ],
             "Resource": "*"
          }
       ]
    }
    BASH
  4. Use the put-role-policy command to attach the policy to the role created above. Ensure that you specify the full path to the location of the role-policy.json file.

    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\import\role-policy.json"
    BASH
  5. Add policy to import VM to the service role.

    C:\Users\Test>aws --profile Test_new iam create-role --role-name vmimport --assume-role-policy-document "file://C:\Outpost24\Q&A\AWS Import-VM\trust-policy.json"
    {
        "Role": {
            "Path": "/",
            "RoleName": "vmimport",
            "RoleId": "[ROLE ID OUTPUT]",
            "Arn": "arn:aws:iam::[AWS ACCOUNT ID]:role/vmimport",
            "CreateDate": "2019-10-25T14:00:47Z",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "vmie.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {
                            "StringEquals": {
                                "sts:Externalid": "vmimport"
                            }
                        }
                    }
                ]
            }
        }
    }
    BASH
  6. Add S3 access policy to service role.

    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Effect":"Allow",
             "Action":[
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket" 
             ],
             "Resource":[
                "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>",
                "arn:aws:s3:::<HIAB_OVA_DESTINATION_BUCKET>/*"
             ]
          },
          {
             "Effect":"Allow",
             "Action":[
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
             ],
             "Resource":"*"
          }
       ]
    }
    XML

    C:\Users\Test>aws --profile Test_new iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://C:\Outpost24\Q&A\AWS Import-VM\role-policy.json"

  7. Import the HIAB image from the S3 bucket by giving the following command.

    C:\Users\Test>aws ec2 import-image --disk-containers Format=ova,UserBucket="{S3Bucket=<HIAB_OVA_DESTINATION_BUCKET>,S3Key=image/<Outpost24-HIAB-x86_64-xxxxxxxxxx>}"


    or by create JSON file to import the Image.

    [
    	{
    		"Description": "HIAB",
    		"Format": "ova",
    		"UserBucket": {
    			"S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
    			"S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
    		}
    	}
    ]
    XML
    C:\Users\Test>aws --profile Test_new ec2 import-image --description "<Outpost24-HIAB-x86_64-xxxxxxxxxx>" --disk-containers "file://C:\Outpost24\Q&A\AWS Import-VM\hiab-aws-container.json"
    {
        "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
        "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
        "Progress": "2",
        "SnapshotDetails": [
            {
                "DiskImageSize": 0.0,
                "Format": "OVA",
                "UserBucket": {
                    "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                    "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                }
            }
        ],
        "Status": "active",
        "StatusMessage": "pending"
    }
    BASH
  8. Check the status.

    C:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx]
    {
        "ImportImageTasks": [
            {
                "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
                "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
                "Progress": "28",
                "SnapshotDetails": [
                    {
                        "DiskImageSize": 2378187264.0,
                        "Format": "VMDK",
                        "Status": "active",
                        "UserBucket": {
                            "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                            "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                        }
                    }
                ],
                "Status": "active",
                "StatusMessage": "converting"
            }
        ]
    BASH
    C:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx]
    {
        "ImportImageTasks": [
            {
                "Architecture": "x86_64",
                "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
                "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
                "LicenseType": "BYOL",
                "Platform": "Linux",
                "Progress": "52",
                "SnapshotDetails": [
                    {
                        "DeviceName": "/dev/sda1",
                        "DiskImageSize": 2378187264.0,
                        "Format": "VMDK",
                        "Status": "completed",
                        "UserBucket": {
                            "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                            "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                        }
                    }
                ],
                "Status": "active",
                "StatusMessage": "preparing to boot"
            }
        ]
    }
    
    
    BASH
    C:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx]
    {
        "ImportImageTasks": [
            {
                "Architecture": "x86_64",
                "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
                "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
                "LicenseType": "BYOL",
                "Platform": "Linux",
                "Progress": "58",
                "SnapshotDetails": [
                    {
                        "DeviceName": "/dev/sda1",
                        "DiskImageSize": 2378187264.0,
                        "Format": "VMDK",
                        "Status": "completed",
                        "UserBucket": {
                            "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                            "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                        }
                    }
                ],
                "Status": "active",
                "StatusMessage": "booting"
            }
        ]
    }
    BASH
    C:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx]
    {
        "ImportImageTasks": [
            {
                "Architecture": "x86_64",
                "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
                "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
                "LicenseType": "BYOL",
                "Platform": "Linux",
                "Progress": "69",
                "SnapshotDetails": [
                    {
                        "DeviceName": "/dev/sda1",
                        "DiskImageSize": 2378187264.0,
                        "Format": "VMDK",
                        "Status": "completed",
                        "UserBucket": {
                            "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                            "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                        }
                    }
                ],
                "Status": "active",
                "StatusMessage": "booted"
            }
        ]
    }
    BASH
    C:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx]
    {
        "ImportImageTasks": [
            {
                "Architecture": "x86_64",
                "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
                "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
                "LicenseType": "BYOL",
                "Platform": "Linux",
                "Progress": "76",
                "SnapshotDetails": [
                    {
                        "DeviceName": "/dev/sda1",
                        "DiskImageSize": 2378187264.0,
                        "Format": "VMDK",
                        "Status": "completed",
                        "UserBucket": {
                            "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                            "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                        }
                    }
                ],
                "Status": "active",
                "StatusMessage": "preparing ami"
            }
        ]
    }
    BASH




    C:\Users\Test>aws --profile Test_new ec2 describe-import-image-tasks --import-task-ids [import-ami-xxxxxxxxxxx]
    {
        "ImportImageTasks": [
            {
                "Architecture": "x86_64",
                "Description": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>",
                "ImageId": "[ami-xxxxxxxxxxxxxxx]",
                "ImportTaskId": "[import-ami-xxxxxxxxxxx]",
                "LicenseType": "BYOL",
                "Platform": "Linux",
                "SnapshotDetails": [
                    {
                        "DeviceName": "/dev/sda1",
                        "DiskImageSize": 2378187264.0,
                        "Format": "VMDK",
                        "SnapshotId": "[snap-xxxxxxxxxxxxx]",
                        "Status": "completed",
                        "UserBucket": {
                            "S3Bucket": "<HIAB_OVA_DESTINATION_BUCKET>",
                            "S3Key": "<Outpost24-HIAB-x86_64-xxxxxxxxxx>"
                        }
                    }
                ],
                "Status": "completed"
            }
        ]
    }
    BASH


    AWS console after importing the image.




Launch the Image

Click on Launch Instance to start using the newly created Image. 


Enroll the Server

Provide the necessary information and enroll the server.